Secure elements consist mainly of tiny microcontrollers, which provide service by generating and storing secrets and performing cryptographic operations.
Thomas Roche of NinjaLab finds a major security flaw in the crypto library of Infineon Technologies affecting a diverse range of secure elements and FIDO hardware tokens, including the popular YubiKey 5 Series.
The vulnerability, which is called EUCLEAK, capitalizes on a flaw in the implementation of ECDSA and involves a non-constant-time modular inversion operation.
While the flaw enables threat actors to clone devices by extracting secret keys.
Thomas said this security flaw enables attackers with temporary physical presence to recover the secure keys using an unethical practice known as Electromagnetic Analysis, which monitors power fluctuations to reconstruct a device’s internal workings.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14 day free trial
This vulnerability affects gadgets that are developed on Infineon SLE78 MCUs, including YubiKey 5 Series (firmware versions below 5.7), and extends even to new Infineon products such as Optiga Trust M and Trust Platform Module security chips.
Perhaps surprisingly, this vulnerability went undetected for 14 years despite undergoing about eighty high-level security common criteria certification schemes.
This vulnerability affects the YubiKey 5 Series and Security Key Series, as well as the YubiHSM 2 with firmware before 2.4.0.
Besides this, the CVE ID for the flaw is still in process, but got a CVSS Severity score of “4.9,” and has been tracked with the “YSA-2024-03,” tracking ID.
The implications are far-reaching, as a number of secure systems that use these components may potentially be put at risk, and the components include:-
Although the attack is only possible with some physical access, special equipment, and some technical skills, it could enable threat actors to harvest FIDO devices and make copies of them which are robbing the devices of their main purpose, which is effective security against phishing.
Despite this vulnerability, the researchers pointed out that even using these compromised FIDO tokens would be better than having no hardware security measures in place.
Exploiting the flaw requires physical possession of the device, and additionally, PIN codes or passwords must be available.
The vulnerability in question will mainly affect the use cases for FIDO and may have impacts on PIV and OpenPGP usage, depending on implementation.
The choice of algorithms might also influence the use of YubiHSM 2.
To avoid the risks mentioned above and keep the supply chain exposure to a minimum, Yubico has stopped using Infineon’s library in later firmware versions and implemented its own cryptographic solutions in the software.
What Does MITRE ATT&CK Expose About Your Enterprise Security? - Watch Free Webinar!
Google has officially launched Vanir, an open-source security patch validation tool designed to streamline and automate…
A newly disclosed transaction-relay jamming vulnerability has raised concerns about the security of Bitcoin nodes,…
Raspberry Pi, a pioneer in affordable and programmable computing, has once again elevated its game…
Qlik has identified critical vulnerabilities in its Qlik Sense Enterprise for Windows software that could…
QNAP Systems, Inc. has identified multiple high-severity vulnerabilities in its operating systems, potentially allowing attackers…
Imagine this: It's a typical Tuesday morning in a bustling hospital. Doctors make their rounds,…